Google Chrome Rolls Out Device-Bound Session Credentials to Block Cookie Theft
Google has made Device Bound Session Credentials (DBSC) generally available in Chrome, rolling it out for Google Workspace customers, Workspace Individual subscribers, and personal Google accounts to blunt account takeovers driven by stolen session cookies. The feature cryptographically binds a session cookie to the device where authentication occurred, using hardware-backed protections such as the Trusted Platform Module on Windows and Secure Enclave support on macOS, so exfiltrated cookies cannot be replayed on another machine to bypass MFA. Google said DBSC is enabled by default for Workspace customers, integrates with Context-Aware Access for device-aware policy decisions, and exposes binding events in audit logs to help administrators monitor session integrity.
The move follows sustained abuse of stolen Google authentication artifacts by infostealers and adversaries leveraging mechanisms such as the undocumented OAuth MultiLogin API, with operators tied to Lumma and Rhadamanthys claiming they could restore expired cookies. At the same time, researchers at Phishu disclosed VaultJacking, a phishing technique that can steal an entire Google Password Manager vault after capturing a victim’s 6-digit PIN, then registering an attacker-controlled device to sync passwords and passkeys without malware or prior device compromise. Phishu said the attack sidesteps DBSC because it does not rely on replaying stolen cookies, underscoring that Google’s new protection sharply reduces pass-the-cookie risk but does not stop credential- and PIN-based phishing against synced account data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Google announces DBSC is generally available in Chrome
Google announced that Device Bound Session Credentials is now generally available in Chrome on Windows and enabled by default for Google Workspace customers, Workspace Individual subscribers, and personal Google accounts. The feature cryptographically binds session cookies to the device where authentication occurred so stolen cookies cannot be reused on another machine.
DBSC previously launched in beta for Google Workspace users
Google's Device Bound Session Credentials feature had previously been available in beta for Google Workspace users before its broader release. The feature was designed to mitigate session cookie theft and pass-the-cookie attacks by binding authenticated sessions to a device.
Phishu documents VaultJacking attack against Google Password Manager
Researchers at Phishu documented a phishing technique called VaultJacking that can compromise an entire Google Password Manager vault after capturing a victim's 6-digit PIN on a fake sign-in page. They described it as a design trade-off rather than an unpatched bug and said it can register a new device in the victim's security domain to download synced passwords and passkeys.
Google begins gradual rollout of DBSC general availability
Google began a gradual rollout of Device Bound Session Credentials on May 25, 2026. The rollout targets Google Workspace customers, Workspace Individual subscribers, and personal Google account users, with full visibility expected within 60 days.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Chrome bloque le vol de cookies de session : comment fonctionne l ...
zdnet.fr
Open sourceGoogle Chrome’s New Feature Takes Aim at Cookie Theft, Account Hijacking
techrepublic.com
Open sourceChrome stops hackers from stealing your browser cookies now - how its new security feature works | ZDNET
zdnet.com
Open sourceGoogle Chrome's Device-Bound Session Credentials Now GA to Block Account Takeovers - Cyber Security News
cybersecuritynews.com
Open sourceGoogle Chrome adds session cookie theft protection for all users
bleepingcomputer.com
Open sourceVaultJacking Attack Steals Entire Google Password Manager Vault With One Captured PIN
cybersecuritynews.com
Open sourceGoogle Workspace Updates: Prevent account takeovers with Device Bound Session Credentials (DBSC), now generally available in the Chrome browser for Windows
workspaceupdates.googleblog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Launches Device Bound Session Credentials in Chrome to Block Cookie Theft
Google said **Device Bound Session Credentials (DBSC)** is entering public availability for Windows users in **Chrome 146**, with macOS support planned for a future release. The feature is designed to blunt session hijacking by cryptographically binding a web session to a specific device, using hardware-backed security such as the **TPM** on Windows and the **Secure Enclave** on macOS. Under DBSC, stolen session cookies cannot be reused on another system because Chrome must prove possession of a **non-exportable private key** before a site issues refreshed short-lived cookies. Google said an early version of the protocol has already produced a significant reduction in session theft, including attacks associated with infostealer malware such as **LummaC2**, and added that the privacy-preserving standard is being developed through the **W3C** with input from companies including Microsoft and Okta, with future work focused on federated identity, stronger registration options, and broader device support.
Apr 10, 2026
Google Chrome Security Enhancements Against Account Takeover and Prompt Injection Threats
Google has introduced new layered security defenses in Chrome to address the growing risks of indirect prompt injection attacks and account takeovers, particularly as the browser integrates more agentic AI capabilities. Key features include the User Alignment Critic, which independently evaluates and vetoes potentially malicious actions by Chrome's AI agent, and Agent Origin Sets, which restrict the agent's data access to only relevant or user-approved sources. These measures are designed to prevent attackers from exploiting untrusted web content to hijack user sessions or exfiltrate sensitive data, and to mitigate site isolation bypasses that could compromise user privacy and security. In parallel, Google has acknowledged a surge in account takeover incidents targeting Chrome users, where attackers steal credentials, authentication codes, and session cookies to access synchronized data stored in the cloud. The company is urging users to strengthen their authentication methods and reconsider the use of browser-based password managers, as a single compromised account can expose a wide range of personal information. Google is also rolling out additional protections for Workspace accounts to counteract these threats and safeguard user data across its ecosystem.
Mar 21, 2026
Malicious Chrome Extensions Steal and Inject Session Cookies to Hijack Enterprise Accounts
Researchers reported a coordinated operation involving at least five **malicious Chrome extensions** masquerading as productivity or security tools, designed to **hijack enterprise web sessions** by stealing authentication cookies/session tokens. The extensions targeted business platforms such as **Workday, NetSuite, and SAP SuccessFactors**, where possession of a valid session token can enable access without re-entering credentials; telemetry indicated some variants attempted to **exfiltrate cookies as frequently as every 60 seconds**. Prior to takedown requests to Google, the campaign was estimated to have reached **2,300+ installs**. One variant, **Software Access**, was described as particularly advanced because it supported **bidirectional cookie injection**—using Chrome APIs such as `chrome.cookies.set()` to implant stolen session cookies into an attacker-controlled browser, effectively recreating an authenticated session. Investigators noted the extensions shared **identical infrastructure patterns** despite being published under different names (including multiple under “databycloud1104”), supporting attribution to a single coordinated actor. Recommended mitigations included stricter enterprise controls over browser extensions (vetting and limiting permissions, especially cookie access), removing unnecessary add-ons, and monitoring for anomalous session activity and extension behavior to detect session hijacking attempts earlier.
Mar 21, 2026